MICROSOFT SQL SERVER 2008 DATABASE ENGINE COMMON CRITERIA EVALUATION pptx

ST Title: Microsoft SQL Server 2008 Database Engine Common Criteria Evaluation Security Target Certification-ID: BSI-DSZ-CC-0520 TOE Identification: Database Engine of Microsoft SQL S

This document is the Security Target (ST) for the Common Criteria certification of the

database engine of Microsoft® SQL Server® 2008

Keywords

CC, ST, Common Criteria, SQL, Security Target

This page intentionally left blank

Table of Contents

Page

1 ST INTRODUCTION 6

1.1 ST and TOE Reference 6

1.2 TOE Overview 7

1.3 TOE Description 7

1.3.1 Product Type 7

1.3.2 Physical Scope and Boundary of the TOE 8

1.3.3 Architecture of the TOE 11

1.3.4 Logical Scope and Boundary of the TOE 11

1.4 Conventions 14

2 CONFORMANCE CLAIMS 15

2.1 CC Conformance Claim 15

2.2 PP Conformance Claim 15

3 SECURITY PROBLEM DEFINITION 16

3.1 Assets 16

3.2 Assumptions 17

3.3 Threats 18

3.4 Organizational Security Policies 19

4 SECURITY OBJECTIVES 20

4.1 Security Objectives for the TOE 20

4.2 Security Objectives for the operational Environment 21

4.3 Security Objectives Rationale 22

4.3.1 Overview 22

4.3.2 Rationale for TOE Security Objectives 23

4.3.3 Rationale for environmental Security Objectives 26

5 EXTENDED COMPONENT DEFINITION 28

5.1 Definition for FAU_STG.5.EXP 28

6 IT SECURITY REQUIREMENTS 30

6.1 TOE Security Functional Requirements 31

6.1.1 Class FAU: Security Audit 32

6.1.2 Class FDP: User Data Protection 34

6.1.3 Class FIA: Identification and authentication 35

6.1.4 Class FMT: Security Management 36

6.2 TOE Security Assurance Requirements 40

6.3 Security Requirements rationale 40

6.3.1 Security Functional Requirements rationale 40

6.3.2 Rationale for satisfying all Dependencies 44

6.3.3 Rationale for Assurance Requirements 45

7 TOE SUMMARY SPECIFICATION 46

7.1 Security Management (SF.SM) 46

7.2 Access Control (SF.AC) 46

7.3 Identification and Authentication (SF.I&A) 48

7.4 Security Audit (SF.AU) 49

8 APPENDIX 51

8.1 Concept of Ownership Chains 51

8.1.1 How Permissions Are Checked in a Chain 51

8.1.2 Example of Ownership Chaining 51

8.2 References 53

8.3 Glossary and Abbreviations 54

8.3.1 Glossary 54

8.3.2 Abbreviations 55

List of Tables

Page

Table 1: Hardware and Software Requirements 11

Table 2 - Assumptions 17

Table 3 - Threats to the TOE 18

Table 4 – Organizational Security Policies 19

Table 5 - Security Objectives for the TOE 20

Table 6 - Security Objectives for the TOE Environment 21

Table 7 – Summary of Security Objectives Rationale 22

Table 8 – Rationale for TOE Security Objectives 23

Table 9 – Rationale for IT Environmental Objectives 26

Table 10 - TOE Security Functional Requirements 31

Table 11 - Auditable Events 33

Table 12 - Default Server Roles 39

Table 13 – Default Database Roles 39

Table 14 – Rationale for TOE Security Requirements 40

Table 15 – Functional Requirements Dependencies for the TOE 44

List of Figures Page Figure 1: TOE 9

Figure 2: Concept of Ownership Chaining 52

a) A security problem expressed as a set of assumptions about the security aspects

of the environment, a list of threats that the TOE is intended to counter, and any known rules with which the TOE must comply (chapter 3, Security Problem Definition)

b) A set of security objectives and a set of security requirements to address the

security problem (chapters 4 and 6, Security Objectives and IT Security Requirements, respectively)

c) The IT security functions provided by the TOE that meet the set of requirements

(chapter 7, TOE Summary Specification)

1.1 ST and TOE Reference

This chapter provides information needed to identify and control this ST and its Target of Evaluation (TOE)

ST Title: Microsoft SQL Server 2008 Database Engine Common

Criteria Evaluation Security Target

Certification-ID: BSI-DSZ-CC-0520

TOE Identification: Database Engine of Microsoft SQL Server 2008 Enterprise

Edition (English) x86 and x64 and its related guidance documentation ([AGD] and [AGD_ADD])

TOE Platform: Windows Server 2008 Enterprise Edition (English) Version

6.0.6001

CC Identification: Common Criteria for Information Technology Security

Evaluation, Version 3.1, Revision 1 as of September 2006 for part I, revision 2 as of September 2007 for parts II and III, English version

Evaluation Assurance Level: EAL 1 augmented by ASE_OBJ.2, ASE_REQ.2 and

ASE_SPD.1

Keywords: CC, ST, Common Criteria, SQL, Security Target

1.2 TOE Overview

The TOE is the database engine of SQL Server 2008 SQL Server is a Database Management System (DBMS)

The TOE has been developed as the core of the DBMS to store data in a secure way

The security functionality of the TOE comprises:

1.3 TOE Description

This chapter provides context for the TOE evaluation by identifying the product type and describing the evaluated configuration The main purpose of this chapter is to bind the TOE

in physical and logical terms The chapter starts with a description of the product type before

it introduces the physical scope, the architecture and last but not least the logical scope of the TOE

1.3.1 Product Type

The product type of the Target of Evaluation (TOE) described in this ST is a database management system (DBMS) with the capability to limit TOE access to authorized users, enforce Discretionary Access Controls on objects under the control of the database management system based on user and/or role authorizations, and to provide user accountability via audit of users‘ actions

A DBMS is a computerized repository that stores information and allows authorized users to retrieve and update that information A DBMS may be a single-user system, in which only one user may access the DBMS at a given time, or a multi-user system, in which many users may access the DBMS simultaneously

The TOE which is described in this ST is the database engine and therefore part of SQL Server 2008 It provides a relational database engine providing mechanisms for Access Control, Identification and Authentication and Security Audit

The SQL Server platform additionally includes the following tools which are not part of the TOE:

 SQL Server Replication: Data replication for distributed or mobile data processing applications and integration with heterogeneous systems

 Analysis Services: Online analytical processing (OLAP) capabilities for the analysis of large and complex datasets

 Reporting Services: A comprehensive solution for creating, managing, and delivering both traditional, paper-oriented reports and interactive, Web-based reports

 Integration Services: Microsoft Integration Services is a platform for building enterprise-level data integration and data transformations solutions

 Management tools: The SQL Server platform includes integrated management tools for database management and tuning as well as tight integration with tools such as Microsoft Operations Manager (MOM) and Microsoft Systems Management Server (SMS)

 Development tools: SQL Server offers integrated development tools for the database engine, data extraction, transformation, and loading (ETL), data mining, OLAP, and reporting that are tightly integrated with Microsoft Visual Studio to provide end-to-end application development capabilities

 Other tools offered by the installation process: Full Text Search, Business Intelligence Development Studio, Client tools connectivity, Client tools backwards compatibility, Client tools SDK, SQL client connectivity SDK, Microsoft sync framework

The TOE itself only comprises the database engine of the SQL Server 2008 platform which provides the security functionality as required by this ST Any additional tools of the SQL Server 2008 platform interact with the TOE as a standard SQL client The scope and boundary of the TOE will be described in the next chapter Please refer to [AGD_ADD] for more information about the installation process of the TOE

1.3.2 Physical Scope and Boundary of the TOE

The TOE is the database engine of the SQL Server 2008 and its related guidance documentation This engine has been evaluated in two different configurations (x86 and x64) while the IA64 version of the database engine has not been evaluated

The following figure shows the TOE (including its internal structure) and its immediate environment

Figure 1: TOE

As seen in Figure 1 the TOE internally comprises the following logical units:

The Communication part is the interface for programs accessing the TOE It is the interface

between the TOE and clients performing requests

All responses to user application requests return to the client through this part of the TOE

The Relational Engine is the core of the database engine and is responsible for all security

relevant decisions The relational engine establishes a user context, syntactically checks every Transact SQL (T-SQL) statement, compiles every statement, checks permissions to determine if the statement can be executed by the user associated with the request, optimizes the query request, builds and caches a query plan, and executes the statement

The Storage Engine is a resource provider When the relational engine attempts to execute

a T-SQL statement that accesses an object for the first time, it calls upon the storage engine

to retrieve the object, put it into memory and return a pointer to the execution engine To perform these tasks, the storage engine manages the physical resources for the TOE by using the Windows OS

The SQL-OS is a resource provider for all situations where the TOE uses functionality of the

operating system SQL-OS provides an abstraction layer over common OS functions and was designed to reduce the number of context switches within the TOE SQL-OS especially contains functionality for Task Management and for Memory Management

For Task Management the TOE provides an OS-like environment for threads, including

scheduling, and synchronization —all running in user mode, all (except for I/O) without calling the Windows Operating System

The Memory Manager is responsible for the TOE memory pool The memory pool is used to

supply the TOE with its memory while it is executing Almost all data structures that use memory in the TOE are allocated in the memory pool The memory pool also provides resources for transaction logging and data buffers

The immediate environment of the TOE comprises:

The Windows 2008 Server Enterprise Edition Operating System, which hosts the TOE

As the TOE is a software only TOE it lives as a process in the Operating System (OS) and uses the resources of the OS These resources comprise general functionality (e.g the memory management and scheduling features of the OS) as well as specific functionality of the OS, which is important for the Security Functions of the TOE (see chapter 7 for more details)

Other parts of the SQL Server 2008 Platform, which might be installed together with the

TOE The TOE is the central part of a complete DBMS platform, which realizes all Security Functions as described in this ST However other parts of the platform may be installed on the same machine if they are needed to support the operation or administration of the TOE However these other parts will interact with the TOE in the same way, every other client would do

Clients (comprising local clients and remote clients) are used to interact with the TOE during

administration and operation Services of the Operating System are used to route the communication of remote clients with the TOE

The TOE relies on functionality of the Windows 2008 Server Operating System and has the following hardware/software requirements:

Table 1: Hardware and Software Requirements

CPU  Pentium III compatible at 1 GHz or faster (for the 32 bit edition)

 AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support at 1.4 GHz or faster 1

Hard Disk Approx 1500 MB of free space

Other DVD ROM drive, display at Super VGA resolution, Microsoft mouse

compatible pointing device, keyboard Software Windows Server 2008 Enterprise Edition (in 64 or 32 bit), English version,

version 6.0.6001 NET Framework 3.5 SP 1 Windows Installer4.5

The following guidance documents and supportive information belong to the TOE:

 SQL Server 2008 Books Online: This is the general guidance documentation for the complete SQL Server 2008 platform

 SQL Server Guidance Addendum / Installation / Startup: This document contains the aspects of the guidance that are specific to the evaluated configuration of SQL Server

2008

The website https://www.microsoft.com/sql/commoncriteria/2008/EAL1/default.mspx contains additional information about the TOE and its evaluated configuration Also the guidance addendum that describes the specific aspects of the certified version can be obtained via this website The guidance addendum extends the general guidance of SQL Server 2008 that ships along with the product in form of Books Online

This website shall be visited before using the TOE

1.3.3 Architecture of the TOE

The TOE which is described in this ST comprises one instance of the SQL Server 2008 database engine but has the possibility to serve several clients simultaneously

1.3.4 Logical Scope and Boundary of the TOE

SQL Server 2008 is able to run multiple instances of the database engine on one machine After installation one default instance exists However the administrator is able to add more instances of SQL Server 2008 to the same machine

The TOE comprises one instance of SQL Server 2008 Within this ST it is referenced either

as "the TOE" or as "instance" The machine the instances are running on is referenced as

If more than one instance of SQL Server 2008 is installed on one machine these just represent multiple TOEs as there is no other interface between two instances of the TOE than the standard client interface

In this way two or more instances of the TOE may only communicate through the standard client interface

The TOE provides the following set of security functionality

 The Access Control function of the TOE controls the access of users to user and TSF data stored in the TOE It further controls that only authorized administrators are able to manage the TOE

 The Security Audit function of the TOE produces log files about all security relevant events

 The Management function allows authorized administrators to manage the behavior

of the security functions of the TOE

 The Identification and Authentication2 function of the TOE is able to identify and authenticate users

The following functions are part of the environment:

 The Audit Review and Audit Storage functionality has to be provided by the environment and provide the authorized administrators with the capability to review the security relevant events of the TOE

 The Access Control Mechanisms has to be provided by the environment for files stored in the environment

 The environment provides Identification and Authentication2 for users for the cases

where this is required by the TOE (The environment AND the TOE provide mechanisms for user authentication See chapter 7.3 for more details)

 The environment has to provide Time stamps to be used by the TOE

 The environment provides a cryptographic mechanisms for hashing of passwords All these functions are provided by the underlying Operating System (Windows 2008 Server Enterprise Edition) except Audit Review, for which an additional tool has to be used (e.g the SQL Server Profiler, which is part of the SQL Server Platform)

Access to the complete functionality of the TOE is possible via a set of SQL-commands (see [TSQL])

This set of commands is available via:

 TCP/IP

1.4 Conventions

For this Security Target the following conventions are used:

The CC allows several operations to be performed on functional requirements; refinement, selection, assignment, and iteration are defined in chapter C.4 of Part 1 of the CC Each of

these operations is used in this ST

The refinement operation is used to add detail to a requirement, and thus further restricts a requirement Refinement of security requirements is denoted by bold text

The selection operation is used to select one or more options provided by the CC in stating

a requirement Selections that have been made are denoted by italicized text

The assignment operation is used to assign a specific value to an unspecified parameter,

such as the length of a password Assignments that have been made are denoted by showing the value in square brackets, [Assignment_value]

The iteration operation is used when a component is repeated with varying operations

Iteration is denoted by showing the iteration number in parenthesis following the component identifier, (iteration_number)

The CC paradigm also allows protection profile and security target authors to create their own requirements Such requirements are termed ‗explicit requirements‘ and are permitted if

the CC does not offer suitable requirements to meet the authors‘ needs Explicit

requirements must be identified and are required to use the CC class/family/component

model in articulating the requirements In this ST, explicit requirements will be indicated with the ―.EXP‖ following the component name

2 Conformance Claims

2.1 CC Conformance Claim

This Security Target claims to be

 CC Part 2 (Version 3.1, Revision 2, September 2007) extended due to the use of the component FAU_STG.5.EXP

 CC Part 3 (Version 3.1, Revision 2, September 2007) conformant as only assurance components as defined in part III of [CC] have been used

Further this Security Target claims to be conformant to the Security Assurance Requirements package EAL 1 augmented by ASE_OBJ.2, ASE_REQ.2 and ASE_SPD.1

2.2 PP Conformance Claim

This Security Target does not claim compliance to any Protection Profile

3 Security Problem Definition

This chapter describes

 the assets that have to be protected by the TOE,

 assumptions about the environment of the TOE,

 threats against those assets and

 organizational security policies that TOE shall comply with

3.1 Assets

The TOE maintains two types of data which represent the assets: User Data and TSF Data

The primary assets are the User Data which comprises the following:

 The user data stored in or as database objects;

 User-developed queries or procedures that the DBMS maintains for users

The secondary assets comprise the TSF data that the TOE maintains and uses for its own operation This kind of data is also called metadata It specifically includes:

 The definitions of user databases and database objects

 Configuration parameters,

 User security attributes,

 Security Audit instructions and records

3.2 Assumptions

The following table lists all the assumptions about the environment of the TOE

Table 2 - Assumptions Assumption Description

A.NO_EVIL Administrators are non-hostile, appropriately trained, and

follow all administrator guidance

A.NO_GENERAL_PURPOSE There are no general-purpose computing capabilities

(e.g., compilers or user applications) available on DBMS servers, other than those services necessary for the operation, administration and support of the DBMS

A.OS It is assumed that the TOE is installed on Windows Server

2008 Enterprise Edition and that this Operating System provides functionality for

 Identification and authentication of users,

 Access Control for Files,

 Time stamps,

 Audit Storage,

 Hashing of passwords A.PHYSICAL It is assumed that appropriate physical security is

provided for the server, on which the TOE is installed, considering the value of the stored, processed, and transmitted information

A.COMM It is assumed that any communication path from and to

the TOE is appropriately secured to avoid eavesdropping and manipulation

T ACCIDENTAL_ADMIN_ERROR An administrator may incorrectly install or

configure the TOE resulting in ineffective TSF data and therewith ineffective security mechanisms

T.MASQUERADE A user or process may claim to be another

entity in order to gain unauthorized access to data or TOE resources

T.TSF_COMPROMISE A user or process may try to access (i.e view,

modify or delete) configuration data of the TOE This could allow the user or process to gain knowledge about the configuration of the TOE or could bring the TOE into an insecure configuration in which the security mechanisms for the protection of the assets are not longer working correctly

T.UNAUTHORIZED_ACCESS A user may try to gain unauthorized access to

user data for which they are not authorized according to the TOE security policy

Within the scope of this threat the user just tries to access assets, he doesn‘t have permission on, without trying to masquerade another user or circumventing the security mechanism in any other way

3.4 Organizational Security Policies

An organizational security policy is a set of rules, practices, and procedures imposed by an organization to address its security needs This chapter identifies the organizational security policies applicable to the TOE

Table 4 – Organizational Security Policies Policy Description

P.ACCOUNTABILITY The authorized users of the TOE shall be held accountable for

their actions within the TOE

P.ROLES The TOE shall provide an authorized administrators role for

secure administration of the TOE This role shall be separate and distinct from other authorized users

4 Security Objectives

The purpose of the security objectives is to detail the planned response to a security problem

or threat This chapter describes the security objectives for the TOE and its operational environment

4.1 Security Objectives for the TOE

This chapter identifies and describes the security objectives of the TOE

Table 5 - Security Objectives for the TOE

administrators roles to isolate administrative actions

The TOE will provide administrators with the necessary information for secure management

O.AUDIT_GENERATION The TOE will provide the capability to detect

and create records of security relevant events associated with users

facilities necessary to support the authorized administrators in their management of the security of the TOE, and restrict these functions and facilities from unauthorized use

accordance with its security policy

identification and authentication of users

4.2 Security Objectives for the operational Environment

The security objectives for the operational environment of the TOE are defined in the following table

Table 6 - Security Objectives for the TOE Environment Objective Description

OE.NO_EVIL Sites using the TOE shall ensure that authorized

administrators are non-hostile, appropriately trained and follow all administrator guidance

OE.NO_GENERAL_

PURPOSE

There will be no general-purpose computing capabilities (e.g., compilers or user applications) available on DBMS servers, other than those services necessary for the operation, administration and support of the DBMS

OE.OS The TOE shall be installed on Windows Server 2008

Enterprise Edition This Operating System provides functionality for

 Identification and authentication of users,

 Access Control for Files,

 Time stamps,

 Audit Storage,

 Hashing of passwords

OE.PHYSICAL Physical security shall be provided for the server, on which

the TOE will be installed, considering the value of the stored, processed, and transmitted information

OE.COMM Any communication path from and to the TOE will be

appropriately secured to avoid eavesdropping and manipulation

OE.AUDIT_REVIEW The environment shall provide tools for the administrators to

review the audit logs that are produced by the TOE

4.3 Security Objectives Rationale

4.3.1 Overview

The following table summarizes the rationale for the security objectives

Table 7 – Summary of Security Objectives Rationale

Threats, Assumptions, OSP /

4.3.2 Rationale for TOE Security Objectives

Table 8 – Rationale for TOE Security Objectives Threat/Policy Objectives Addressing the

incorrectly install or configure

the TOE resulting in ineffective

security mechanisms

O.ADMIN_ROLE The TOE will provide administrators with the necessary information for secure management

O.ADMIN_ROLE counters this threat by ensuring the TOE administrators have guidance that instructs them how to administer the TOE in a secure manner Having this guidance and considering the assumption A.NO_EVIL mitigates the threat that an administrator might cause the TOE to be configured insecurely to an acceptable level T.MASQUERADE

A user or process may claim to

be another entity in order to

gain unauthorized access to

data or TOE resources

O.I&A The TOE will provide a mechanism for identification and authentication of users

O.I&A counters this threat by providing the means to identify and authenticate the user where the I&A mechanisms

of the environment is not used The correct identity of the user is the basis for any decision of the TOE about an attempt of a user to access data In this way it is not possible for a user or process to masquerade as another entity and the threat is removed T.TSF_COMPROMISE

A user or process may try to

access (i.e view, modify or

delete) configuration data of

the TOE This could allow the

user or process to gain

knowledge about the

configuration of the TOE or

could bring the TOE into an

insecure configuration in which

the security mechanisms for

the protection of the assets are

not longer working correctly

O.MANAGE The TOE will provide all the functions and facilities necessary to support the authorized administrators in their management of the security of the TOE and restrict these functions and facilities from unauthorized use

O.MANAGE counters this threat as it defines that only authorized administrators shall

be able to use the management functionality, provided by the TOE In this way the threat is removed

T.UNAUTHORIZED_ACCESS

A user may try to gain

unauthorized access to user

data for which they are not

authorized according to the

O.MEDIATE The TOE must protect user data in accordance with its security policy

O.MEDIATE ensures that all accesses to user data are subject to mediation The TOE requires successful

authentication to the TOE prior to gaining access to any controlled-

TOE security policy

Within the scope of this threat

the user just tries to access

assets, he doesn‘t have

permission on, without trying to

masquerade another user or

circumventing the security

mechanism in any other way

access content Lastly, the TSF will ensure that all configured

enforcement functions (authentication, access control rules, etc.) must be invoked prior to allowing a user to gain access to TOE or TOE mediated services The TOE restricts the ability to modify the security attributes associated with access control rules, access to authenticated and

unauthenticated services, etc to the administrator Together with O.I&A this mechanism ensures that no user can gain unauthorized access to data and in this way removes the threat

O.I&A The TOE will provide a mechanism for identification and authentication

of users

O.I&A contributes to countering this threat

by providing the means to identify and authenticate the user where the I&A mechanism of the environment

is not used The correct identity of the user is the basis for any decision

of the TOE about an attempt of a user to access data

P.ACCOUNTABILITY

The authorized users of the

TOE shall be held accountable

for their actions within the TOE

O.AUDIT_GENERATION The TOE will provide the capability to detect and create records of security relevant events associated with users

O.AUDIT_GENERATION addresses this policy by providing the authorized administrator with the capability of configuring the audit mechanism to record the actions of a specific user

O.I&A The TOE will provide a mechanism for identification and authentication

of users

O.I&A supports this policy by providing the means to identify and authenticate the user where the I&A mechanisms

of the environment cannot be used The identity of the user is stored in the audit logs

OE.AUDIT_REVIEW OE.AUDIT_REVIEW supports the

policy for accountability as the environment of the TOE provides a means for audit review Without this objective for the environment it would not be possible to review the audit logs that are produced by the TOE

P.ROLES

The TOE shall provide an

authorized administrator role

for secure administration of the

TOE This role shall be

separate and distinct from

other authorized users

O.ADMIN_ROLE The TOE will provide authorized administrator roles to isolate administrative actions

The TOE has the objective of providing authorized administrator roles for secure administration In this way the policy P.ROLES is fulfilled (by O.ADMIN_ROLE)

4.3.3 Rationale for environmental Security Objectives

The following table contains the rationale for the IT Environmental Objectives

Table 9 – Rationale for IT Environmental Objectives Assumption Environmental Objective

Addressing the Assumption

Rationale

A.NO_EVIL

Administrators are non-hostile,

appropriately trained, and follow

all administrator guidance

OE.NO_EVIL Sites using the TOE shall ensure that authorized administrators are non- hostile, are appropriately trained and follow all administrator guidance

All authorized administrators are trustworthy individuals, having background investigations commensurate with the level of data being protected, have undergone appropriate admin training, and follow all admin guidance

A.NO_GENERAL_PURPOSE

There are no general-purpose

computing or storage repository

capabilities (e.g., compilers or

user applications) available on

DBMS servers, other than those

services necessary for the

operation, administration and

support of the DBMS

OE.NO_GENERAL_PURPOSE There will be no general- purpose computing capabilities (e.g., compilers or user

applications) available on DMBS servers, other than those services necessary for the operation, administration and support of the DBMS

The DBMS server must not include any general-purpose computing or storage capabilities This will protect the TSF data from malicious processes

A.OS

The TOE is installed on Windows

Server 2008 Enterprise Edition

This Operating System provides

 Identification and authentication of users,

 Access Control for Files,

 Time stamps,

 Audit Storage, Hashing of passwords

The specific requirement on the Operating System ensures that the IT environment provides the necessary functionality for the operation of the TOE

A.PHYSICAL

It is assumed that appropriate

physical security is provided for

the server, on which the TOE is

installed, considering the value of

the stored, processed, and

transmitted information

OE.PHYSICAL Physical security shall be provided for the server, on which the TOE will be installed, considering the value of the stored, processed, and transmitted information

The TOE, the TSF data, and protected user data is assumed

to be protected from physical attack (e.g., theft, modification, destruction, or eavesdropping) Physical attack could include unauthorized intruders into the TOE environment, but it does

not include physical destructive actions that might be taken by

an individual that is authorized

to access the TOE environment

A.COMM

It is assumed that any

communication path from and to

the TOE is appropriately secured

to avoid eavesdropping and

manipulation

OE.COMM Any communication path from and to the TOE will be

appropriately secured to avoid eavesdropping and

manipulation

A.COMM is completely and directly addressed by OE.COMM OE.COMM and A.COMM both address the requirement that any communication path to and from the TOE has to be appropriately secured

5 Extended Component Definition

5.1 Definition for FAU_STG.5.EXP

This chapter defines the extended functional component FAU_STG.5.EXP (Administrable prevention of audit data loss) of the existing functional class FAU (Security audit)

This component was defined because part II of [CC] does not contain any SFR which allows

specifying a set of allowed actions which can be taken in the case where the audit is full

For the TOE described in this ST it was necessary to provide authorized administrators with the possibility to specify what should happen if the audit log is full

The family FAU_STG is extended by the new component FAU_STG.5.EXP as shown in the following figure:

FAU_STG: Security audit event storage

Management for FAU_STG.5.EXP:

The following actions could be considered for management functions in FMT:

a) maintenance (deletion, modification, addition) of actions to be taken in case of

audit storage failure

Audit for FAU_STG.5.EXP:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

a) Basic: Actions taken due to potential audit storage failure